GNU bug report logs -
#21350
25.0.50; Do not automatically include authorization header in HTTP redirects
Previous Next
Reported by: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
Date: Wed, 26 Aug 2015 02:38:01 UTC
Severity: normal
Tags: patch
Found in version 25.0.50
Done: Thomas Fitzsimmons <fitzsim <at> fitzsim.org>
Bug is archived. No further changes may be made.
Full log
Message #27 received at 21350-done <at> debbugs.gnu.org (full text, mbox):
Stefan Monnier <monnier <at> iro.umontreal.ca> writes:
>> Here's the updated patch that I tested. Does it look OK stylistically?
>
> Yes, but you need to change the beginning of the file so cl-lib is not
> only require when compiling but also at run-time (since cl-remove is
> not a macro but a function).
OK, I pushed the patch. Thanks for reviewing.
I had hoped to publish a Docker image that would allow testing the
various authorization schemes across redirects, but configuring a server
to authenticate with NTLM using Free Software proved too difficult. I
did test against a proprietary NTLM implementation, and against the two
built-in auth schemes as well. The results were:
| Authenticated Redirect |
|-------------+---------------+------------|
| Auth Scheme | Without Patch | With Patch |
|-------------+---------------+------------|
| Basic | Works | Works |
| Digest | Fails | Fails |
| NTLM | Fails | Works |
I'm not sure what's wrong with the digest scheme (Firefox works), but
this patch doesn't make digest redirects worse.
Thomas
This bug report was last modified 9 years and 243 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.